#!/usr/bin/env bash
# name: baseline_redflag7.9_v3.1.sh
# desc: Strengthen the operating system.
# changelog:
# - 2021/2/1 Add disable scp
# - 2021/5/31 Add file or diretory permission
# - 2022/6/1  Add disabel selinux ... tool check
# - 2022/6/2  Add RHN bug fix
# - 2022/10/31 Add pam_tally2.so and rc.local

export LANG=en_US.UTF-8
export REPOIP

hgip=`ip a | grep -E 'inet 177.222|inet 181|inet 183|inet 61|inet 63'`
dqip=`ip a | grep -E 'inet 177.224|inet 177.225|inet 177.226|inet 182|inet 62'`

if [ ! -z "$hgip" ]; then
        REPOIP=181.2.181.44
		#REPOIP=61.53.2.57
elif [ ! -z "$dqip" ]; then
        REPOIP=182.8.151.170
		#REPOIP=62.53.2.37
else
        echo "IP address is error! Please check!"
		exit
fi


function usage()
{
    cat << EOF
    usage: $0 options

    OPTIONS:
        help     Show this message
        check    Only check the configuration, but will not change!
        init     Automately change all configuration to user defined!
EOF
}


case $1 in
     help)
         usage
         exit 1
         ;;
     check)
         AUTOFIX=0
         ;;
     init)
         AUTOFIX=1
         ;;
     *)
             usage
             exit 1
             ;;
esac

if [ -f /etc/asianux-release ]; then
	OSVERSION=`awk '{ print $(NF-2) }' /etc/asianux-release  |awk -F"." '{print $1}'`
    if [ "$OSVERSION" != "7" ]; then
      echo -e "[31mPlease check whether the OS version is RedFlag Asianux 7!!![0m"
      exit 1
    fi
else
    echo -e "[31mPlease check whether the OS version is RedFlag Asianux 7!!![0m"
    exit 1
fi

CHECKTOTAL=0
CHECKFAILED=0
CHECKERROR=0

function add_check_item_total
{
        CHECKTOTAL=$[CHECKTOTAL+1]
}
function add_check_item_failed
{
        [ $CHECKERROR -ne 0 ] && CHECKFAILED=$[CHECKFAILED+1]
}
function add_check_item_error
{
        CHECKERROR=$[CHECKERROR+1]
}

echo "[1;32mStarting Checking System configuration [0m"
echo ""

#YUM config and check
function yum_config_check {
if [ ! -f /etc/yum.repos.d/"$REPOIP"_"$1"_"$2".repo ]; then 
        urlstatus=`curl -s -m 5 -IL http://$REPOIP/repos/asianux/$1/$2/repodata/repomd.xml |grep 200`
        if [ -z "$urlstatus" ]; then
                echo -e "\t\t[31mRepos $1 $2 is unavailable !!![0m"
        else
                cat << EOF > /etc/yum.repos.d/"$REPOIP"_"$1"_"$2".repo
[$1_$2]
name=$1_$2
baseurl=http://$REPOIP/repos/asianux/$1/$2
enabled=1
gpgcheck=0
EOF
        fi
else
        urlstatus="HTTP/1.1 200 OK"
fi 
}


#Check redflag software
echo "[1;96m 1.Checking redflag system software starting ...[0m"
CHECKERROR=0
function check_rpm_install {
value=`rpm -q $1 |grep not `
if [ ! -z "$value" ]; then
        echo -e "\t[31m"$value" !!![0m"
        add_check_item_error
        if [ $AUTOFIX -ne 0 ]; then
                yum_config_check baseos $OS_release
                if [ ! -z "$urlstatus" ]; then
                        yum -y install $1 --disablerepo=* --enablerepo=baseos_"$OS_release" >/dev/null 2>&1 && echo -e "\t[32m==>fixed[0m" ||echo -e "\t[31m==>fix failed[0m"
                fi
        fi
fi
}
#OS_release=`awk '{ print $(NF-1) }' /etc/asianux-release `
OS_release=7.9
check_rpm_install libselinux-python
check_rpm_install net-tools
check_rpm_install vim-enhanced
check_rpm_install wget
check_rpm_install unixODBC
check_rpm_install pciutils
check_rpm_install sos
check_rpm_install iotop
check_rpm_install bash-completion
check_rpm_install lsof
check_rpm_install bc
check_rpm_install ftp
check_rpm_install chrony
check_rpm_install nmap-ncat
check_rpm_install strace
check_rpm_install ltrace
check_rpm_install iptraf-ng
check_rpm_install sysstat
check_rpm_install smartmontools
check_rpm_install tigervnc-server
check_rpm_install yum-utils
check_rpm_install iperf3
check_rpm_install dropwatch
check_rpm_install expect
check_rpm_install screen
check_rpm_install perf
check_rpm_install psacct
check_rpm_install abrt
check_rpm_install ipmitool
check_rpm_install openssl-devel
check_rpm_install kernel-devel
check_rpm_install rpmdevtools
if [  -f /etc/yum.repos.d/"$REPOIP"_baseos_"$OS_release".repo ]; then 
        #rm -f /etc/yum.repos.d/"$REPOIP"_baseos_"$OS_release".repo
		sed -i "4c enabled=0" /etc/yum.repos.d/"$REPOIP"_baseos_"$OS_release".repo
fi
add_check_item_total
add_check_item_failed
echo "[1;96m   Checking redflag system software done ![0m"
echo ""

#Check  ssacli and storcli tools
echo "[1;96m 2.Checking ssacli and storcli tools starting ...[0m"
CHECKERROR=0
function check_tool_install {
value=`rpm -q $1 |grep not `
if [ ! -z "$value" ]; then
        echo -e "\t[31m"$value" !!![0m"
        add_check_item_error
        if [ $AUTOFIX -ne 0 ]; then
                yum_config_check other "$OSVERSION"-tools 
                if [ ! -z "$urlstatus" ]; then
                        yum -y install $1  --disablerepo=* --enablerepo=other_"$OSVERSION"-tools >/dev/null 2>&1 && echo -e "\t[32m==>fixed[0m" || echo -e "\t[31m==>fix failed[0m"
                fi
        fi
fi
}
#check_tool_install ssacli
check_tool_install storcli
if [  -f /etc/yum.repos.d/"$REPOIP"_other_"$OSVERSION"-tools.repo ]; then 
        #rm -f /etc/yum.repos.d/"$REPOIP"_other_"$OSVERSION"-tools.repo
		sed -i "4c enabled=0" /etc/yum.repos.d/"$REPOIP"_other_"$OSVERSION"-tools.repo
fi
add_check_item_total
add_check_item_failed
echo "[1;96m   Checking ssacli and storcli tools done ![0m"
echo ""

opensshflag=0

#Check software bug fix
echo "[1;96m 3.Checking software bug fix starting ...[0m"
CHECKERROR=0
function check_rpm_update {
value=`rpm -q --qf '%{version}-%{release}\n' $1 `
rpmdev-vercmp $value $2 >/dev/null 2>&1 
if [ $? == 12  ]; then
        echo -e "\t[31m"$1" need update !!![0m"
        add_check_item_error
        if [ $AUTOFIX -ne 0 ]; then
                yum_config_check updates asianux-7-server-rpms
                if [ ! -z "$urlstatus" ]; then
						if [ $1 == "openssh" ]; then
							# 保存配置文件，防止更新openssh、openssl配置发生变化
							cp /etc/ssh/sshd_config /etc/ssh/sshd_config.bak
							cp /etc/pam.d/sshd /etc/pam.d/sshd.bak
						fi						
                        yum -y update "$1"-"$2"  --disablerepo=* --enablerepo=updates_asianux-7-server-rpms >/dev/null 2>&1
                        value1=`rpm -q --qf '%{version}-%{release}\n' $1`
                        rpmdev-vercmp $value1 $2 >/dev/null 2>&1
                        if [ $? == 0  ]; then
                            echo -e "\t[32m==>fixed[0m"
							if [ $1 == "openssh" ]; then
								opensshflag=1
							fi
                        else
                            echo -e "\t[31m==>fix failed[0m"
                        fi
                fi
        fi
fi
}
check_rpm_update polkit 0.112-26.axs7
check_rpm_update openssl 1.1.1k-1.axs7
check_rpm_update openssh 8.8p1-1.axs7
check_rpm_update sudo 1.8.23-10.axs7
#check_rpm_update abrt 2.1.11-60.axs7
#check_rpm_update vim-enhanced 7.4.629-7.axs7
#check_rpm_update sos 3.9-4.axs7

if [ $opensshflag -eq 1 ]; then
	/bin/cp -f /etc/ssh/sshd_config.bak /etc/ssh/sshd_config
	/bin/cp -f /etc/pam.d/sshd.bak /etc/pam.d/sshd
fi

if [ $AUTOFIX -ne 0 ]; then
	cat /etc/pam.d/sshd | grep -i pam_tally2.so
	if [ $? -eq 0 ]; then
		echo "pam_tally2.so already exist"
	else
		sed -i "6a account    required     pam_tally2.so" /etc/pam.d/sshd
		echo "add pam_tally2.so successfull!"
	fi	
fi

if [  -f /etc/yum.repos.d/"$REPOIP"_updates_redflag-7-server-rpms.repo ]; then 
        #rm -f /etc/yum.repos.d/"$REPOIP"_updates_redflag-7-server-rpms.repo
		sed -i "4c enabled=0" /etc/yum.repos.d/"$REPOIP"_updates_redflag-7-server-rpms.repo
fi
add_check_item_total
add_check_item_failed
echo "[1;96m   Checking software bug fix done ![0m"
echo ""


#Configure password policies
echo "[1;96m 4.Checking password policies  [0m"
echo -e "[1m 4.1 Checking password validity starting ...[0m"
CHECKERROR=0
#value=`gawk '/^ *PASS_MAX_DAYS/{print $2}' /etc/login.defs`
#if [ $value != 90 ]; then
#        echo -e "\t[31mPASS_MAX_DAYS is not 90 !!![0m"
#        add_check_item_error
#        [ $AUTOFIX -ne 0 ] && sed -ri "/^ *PASS_MAX_DAYS */c PASS_MAX_DAYS 90" /etc/login.defs && echo -e "\t[32m==>fixed[0m"
#fi

value=`gawk '/^ *PASS_MIN_DAYS/{print $2}' /etc/login.defs`
if [ $value != 6 ]; then
        echo -e "\t[31mPASS_MIN_DAYS is not 6 !!![0m"
        add_check_item_error
        [ $AUTOFIX -ne 0 ] && sed -ri "/^ *PASS_MIN_DAYS */c PASS_MIN_DAYS 6" /etc/login.defs && echo -e "\t[32m==>fixed[0m"
fi


value=`gawk '/^ *PASS_MIN_LEN/{print $2}' /etc/login.defs`
if [ $value != 8 ]; then
        echo -e "\t[31mPASS_MIN_LEN is not 8 !!![0m"
        add_check_item_error
        [ $AUTOFIX -ne 0 ] && sed -ri "/^ *PASS_MIN_LEN */c PASS_MIN_LEN 8" /etc/login.defs && echo -e "\t[32m==>fixed[0m"
fi

value=`gawk '/^ *PASS_WARN_AGE/{print $2}' /etc/login.defs`
if [ $value != 30 ]; then
        echo -e "\t[31mPASS_WARN_AGE is not 30 !!![0m"
        add_check_item_error
        [ $AUTOFIX -ne 0 ] &&  sed -ri "/^ *PASS_WARN_AGE */c PASS_WARN_AGE 30" /etc/login.defs && echo -e "\t[32m==>fixed[0m"
fi
add_check_item_total
add_check_item_failed

echo -e "[1m 4.2 Checking password complexity starting ...[0m"
CHECKERROR=0
value=`gawk -F"pam_pwquality.so" '/pam_pwquality.so/{print  $2}' /etc/pam.d/system-auth-ac `
new_val=`grep 'try_first_pass local_users_only enforce_for_root retry=3 minlen=8 minclass=3 dcredit=-1 ucredit=-1 ocredit=-1 lcredit=-2' /etc/pam.d/system-auth-ac `
if [ $? != 0 ]; then
        echo -e "\t[31mpam_pwquality.so config: $value !!![0m"
        add_check_item_error
        [ $AUTOFIX -ne 0 ] &&  sed -i "s/^[#]\{0,1\}password    requisite     pam_pwquality.so try_first_pass.*/password    requisite     pam_pwquality.so try_first_pass local_users_only enforce_for_root retry=3 minlen=8 minclass=3 dcredit=-1 ucredit=-1 ocredit=-1 lcredit=-2/g" /etc/pam.d/system-auth-ac  && echo -e "\t[32m==>fixed[0m"
fi
add_check_item_total
add_check_item_failed


echo -e "[1m 4.3 Checking password multiplexing starting ...[0m"
CHECKERROR=0
value=`grep 'sha512 shadow nullok try_first_pass use_authtok remember=5' /etc/pam.d/system-auth-ac `
if [ $? != 0 ]; then
        echo -e "\t[31mpam_unix.so config remember is not 5 !!![0m"
        add_check_item_error
        [ $AUTOFIX -ne 0 ] && sed -i '/password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass use_authtok$/s/$/ remember=5/' /etc/pam.d/system-auth-ac  && echo -e "\t[32m==>fixed[0m"
fi
add_check_item_total
add_check_item_failed


echo -e "[1m 4.4 Checking password locking starting ...[0m"
CHECKERROR=0
value=`grep 'onerr=fail deny=5 unlock_time=600' /etc/pam.d/system-auth-ac `
if [ $? != 0 ]; then
        echo -e "\t[31mpam_tally2.so unlock_time is not config !!![0m"
        add_check_item_error
        [ $AUTOFIX -ne 0 ] && sed -i "/# User/aauth        required      pam_tally2.so onerr=fail deny=5 unlock_time=600" /etc/pam.d/system-auth-ac && sed -i "/# User/aauth        required      pam_tally2.so onerr=fail deny=5 unlock_time=600" /etc/pam.d/password-auth-ac  && echo -e "\t[32m==>fixed[0m"
fi
add_check_item_total
add_check_item_failed
echo "[1;96m   Checking password policies done ![0m"
echo ""

#Check account policies
echo "[1;96m 5.Checking account policies  [0m"
echo -e "[1m 5.1 Checking non root user with UID 0 ...[0m"
CHECKERROR=0
value=`awk -F: '($3 == 0) { print $1 }' /etc/passwd |grep -v root`
        if [  -n "$value" ]; then
                for user in "$value"
                do
                echo -e "\t[31mUID 0 user is: $user !!![0m"
                add_check_item_error
                [ $AUTOFIX -ne 0 ] && /usr/sbin/userdel $user --force >/dev/null 2>&1   && echo -e "\t[32m==>fixed[0m"
                done
        fi
add_check_item_total
add_check_item_failed

echo -e "[1m 5.2 Checking User's emptypasswords  starting ...[0m"
CHECKERROR=0
value=`awk -F: '($2 == "") { print $1 }' /etc/shadow`
        if [  -n "$value" ]; then
                for user in "$value"
                do
                echo -e "\t[31mEmptypassword user is: $user !!![0m"
                add_check_item_error
                [ $AUTOFIX -ne 0 ] && /usr/sbin/usermod -L $user  && echo -e "\t[32m==>fixed[0m"
                done
        fi
add_check_item_total
add_check_item_failed


# Set User's passwd be expired
echo -e "[1m 5.3 Checking User's passwd should be expired starting ...[0m"
CHECKERROR=0
#for NAME in `cut -d: -f1 /etc/passwd`
#    do
#        MyUID=`id -u $NAME`
#        if [ $MyUID -ge 1000 -a $NAME != 'nfsnobody' -a $NAME != 'admin' ]; then
#             value=`chage -l $NAME 2>/dev/null | egrep  "Maximum" | awk -F: '{print $2}'`
#             if [ $value  != "90" ] ; then
#                echo -e "\t[31mUser $NAME not have the limited expire peirod[0m"
#                add_check_item_error
#                [ $AUTOFIX -ne 0 ] && chage -m 1 -M 90 -W 7 $NAME -d `date '+%Y-%m-%d'` && echo -e "\t[32m==>fixed[0m"
#             fi
#        fi
#done
add_check_item_total
add_check_item_failed

# Set User's passwd not be expired
echo -e  "[1m 5.4 Checking User's passwd should not be expired starting ...[0m"
CHECKERROR=0
#function passwd_not_expired
##{
##        value=`chage -l $1 2>/dev/null`
##        if [ $? -ne 0 ]; then
##        	echo -e "\t[31mNo user : $1 [0m"
##                add_check_item_error
##                return
##        else
##                value=`chage -l $1 2>/dev/null | egrep  "Password expires" | awk '{print $4}'`
##                if [ $value  != "never" ] ; then
##                   echo -e "\t[31mUser $1 not have the unlimited expire peirod [0m"
##                   add_check_item_error
##                   [ $AUTOFIX -ne 0 ] && chage -E -1 -M -1 $1 && echo -e "\t[32m==>fixed[0m"
##                fi
##        fi
##}
#passwd_not_expired root
#passwd_not_expired admin
add_check_item_total
add_check_item_failed

#lock Login of System Accounts
echo -e "[1m 5.5 Checking system accounts starting ...[0m"
CHECKERROR=0
for NAME in `cut -d: -f1 /etc/passwd`
    do
        MyUID=`id -u $NAME`
        value=`/usr/bin/passwd -S "$NAME" 2>/dev/null |grep "in use"`
        ulock=$?
        if [ $MyUID -lt 1000 -a $NAME != 'root' -a $ulock -eq 0 ]; then
            echo -e "\t[31mUser: $NAME   \tis a system account, but not Locked it [0m"
            add_check_item_error
            [ $AUTOFIX -ne 0 ] && usermod -L -s /dev/null $NAME && echo -e "\t[32m==>fixed[0m"
        fi
done
    [ $AUTOFIX -ne 0 ] && usermod -L -s /dev/null nfsnobody > /dev/null 2>&1
add_check_item_total
add_check_item_failed
echo "[1;96m   Checking account policies done ![0m"
echo ""

#Check /etc/profile
echo "[1;96m 6.Checking /etc/profile  [0m"
echo -e  "[1m 6.1 Checking histtimeformat starting ...[0m"
CHECKERROR=0
value=`grep 'HISTTIMEFORMAT=' /etc/profile`
if [ $? != 0 ]; then
        echo -e "\t[31mHISTTIMEFORMAT is not config !!![0m"
        add_check_item_error
        [ $AUTOFIX -ne 0 ] && echo "export HISTTIMEFORMAT=\"%F %T \"" >> /etc/profile  && echo -e "\t[32m==>fixed[0m"
fi
add_check_item_total
add_check_item_failed

echo "[1m 6.2 Checking prompt_command starting ...[0m"
CHECKERROR=0
value=`grep 'PROMPT_COMMAND=' /etc/profile`
if [ $? != 0 ]; then
        echo -e "\t[31mPROMPT_COMMAND is not config !!![0m"
        add_check_item_error
        [ $AUTOFIX -ne 0 ] && echo "export PROMPT_COMMAND=\"history -a\"" >> /etc/profile  && echo -e "\t[32m==>fixed[0m"
fi
add_check_item_total
add_check_item_failed

echo "[1m 6.3 Checking histcontrol starting ...[0m"
CHECKERROR=0
value=`grep '^export HISTCONTROL' /etc/profile`
if [ $? != 0 ]; then
        echo -e "\t[31mHISTCONTROL is not config !!![0m"
        add_check_item_error
        [ $AUTOFIX -ne 0 ] && echo "export HISTCONTROL=\"ignoredups\"" >> /etc/profile  && echo -e "\t[32m==>fixed[0m"
fi
add_check_item_total
add_check_item_failed

echo "[1m 6.4 Checking histsize starting ...[0m"
CHECKERROR=0
value=`grep '^HISTSIZE' /etc/profile |gawk -F'=' '{print $2 }'`
if [ $value != 5 ]; then
        echo -e "\t[31mHISTSIZE config is: $value !!![0m"
        add_check_item_error
        [ $AUTOFIX -ne 0 ] && sed -i "s/^HISTSIZE=.*/HISTSIZE=5/g" /etc/profile  && echo "export HISTFILESIZE=5" >> /etc/profile && echo -e "\t[32m==>fixed[0m"
fi
add_check_item_total
add_check_item_failed

echo "[1m 6.5 Checking timeout starting ...[0m"
CHECKERROR=0
value=`grep  "export TMOUT=180" /etc/profile `
if [ $? != 0 ]; then
        echo -e "\t[31mTimeOut is not config !!![0m"
        add_check_item_error
        [ $AUTOFIX -ne 0 ] && echo "export TMOUT=180" >> /etc/profile  && echo -e "\t[32m==>fixed[0m"
fi
add_check_item_total
add_check_item_failed

# Check umask value
echo "[1m 6.6 Checking csh umask value starting ...[0m"
CHECKERROR=0
value=`grep 'umask 0' /etc/csh.cshrc |gawk '{print $2 }' |tail -n1 2>/dev/null `
if [ $value != "077" ]; then
    echo -e "\t[31mIncorrect umask value : $value[0m"
    add_check_item_error
    [ $AUTOFIX -ne 0 ] && sed -i 's/umask 0.*/umask 077/g' /etc/csh.cshrc && sed -i '$a\umask 077' /etc/csh.login  && echo -e "\t[32m==>fixed[0m"
fi
add_check_item_total
add_check_item_failed
echo "[1;96m   Checking /etc/profile done ![0m"
echo ""

echo "[1;96m 7.Checking physical security policies  [0m"
#Check disable usb storage
echo "[1m 7.1 Checking usb-storage disable starting ...[0m"
CHECKERROR=0
if [ -f /etc/modprobe.d/usb-storage.conf ]; then
value=`grep "^install usb-storage /bin/true" /etc/modprobe.d/usb-storage.conf `
    if [ $? != 0 ]; then
      echo -e "\t[31mUsb storage is enable !!![0m"
      add_check_item_error
      [ $AUTOFIX -ne 0 ] && echo "install usb-storage /bin/true" >> /etc/modprobe.d/usb-storage.conf  && echo -e "\t[32m==>fixed[0m"
    fi
else
    echo -e "\t[31mUsb storage is enable !!![0m"
    add_check_item_error
    [ $AUTOFIX -ne 0 ] && echo "install usb-storage /bin/true" >> /etc/modprobe.d/usb-storage.conf  && echo -e "\t[32m==>fixed[0m"

fi
add_check_item_total
add_check_item_failed

#Check control-alt-delete keyboard shortcuts
echo "[1m 7.2 Checking CTL+ALT-DEL keyboard shortcuts ...[0m"
CHECKERROR=0
value=`systemctl is-enabled ctrl-alt-del.target`
if [ "$value" != "masked" ]; then
        echo -e "\t[31mControl-alt-delete keyboard shortcuts is enable !!![0m"
        add_check_item_error
        [ $AUTOFIX -ne 0 ] && systemctl mask ctrl-alt-del.target >/dev/null 2>&1   && echo -e "\t[32m==>fixed[0m"
fi
add_check_item_total
add_check_item_failed
echo "[1;96m   Checking physical security policies done ![0m"
echo ""

#Check runlevel
echo "[1;96m 8.Checking runlevel starting ...[0m"
CHECKERROR=0
value=`systemctl get-default`
if [ $value != multi-user.target ]; then
   echo -e  "\t[31mSystem runlevel is : $value[0m"
   add_check_item_error
   [ $AUTOFIX -ne 0 ] && systemctl set-default multi-user.target >/dev/null 2>&1   && echo -e "\t[32m==>fixed[0m"
fi
add_check_item_total
add_check_item_failed
echo "[1;96m   Checking runlevel done ![0m"
echo ""

# Check Banner configuration
echo "[1;96m 9.Checking banner starting ...[0m"
CHECKERROR=0
function check_banner {
value=`cat $1`
if [ "$value" != "$2" ] ;then
   echo -e "\t[31mFile : $1 with incorrect context of : '$value' [0m"
   add_check_item_error
   [ $AUTOFIX -ne 0 ] && echo "$2" > "$1" && echo -e "\t[32m==> fixed[0m"
fi
}
check_banner /etc/issue "ATTENTION:You have logged onto a secured server..ONLY Authorized users can access.."
check_banner /etc/issue.net "ATTENTION:You have logged onto a secured server..ONLY Authorized users can access.."
check_banner /etc/motd "ATTENTION:You have logged onto a secured server..ONLY Authorized users can access.."
add_check_item_total
add_check_item_failed
echo "[1;96m   Checking banner done ![0m"
echo ""

#Check Dangerous files
echo "[1;96m 10.Checking dangerous files starting ...[0m"
CHECKERROR=0
function dangerous_file_check {
if [ -f $1 ]; then
     echo -e "\t[31m$1 : is a dangerous file! [0m"
     add_check_item_error
     [ $AUTOFIX -ne 0 ] && /bin/rm -rf $1 && echo -e "\t\t[32m==>fixed[0m"
fi
}
dangerous_file_check /root/.rhosts
dangerous_file_check /root/.shosts
dangerous_file_check /etc/hosts.equiv
dangerous_file_check /etc/shosts.equiv
add_check_item_total
add_check_item_failed
echo "[1;96m   Checking dangerous files done ![0m"
echo ""

#Check /etc/pam.d/su
echo "[1;96m 11.Checking /etc/pam.d/su starting ...[0m"
CHECKERROR=0
value=`grep  "pam_wheel.so use_uid root_only" /etc/pam.d/su `
if [ $? != 0 ]; then
        echo -e "\t[31mlimitsuroot is not config !!![0m"
        add_check_item_error
        [ $AUTOFIX -ne 0 ] && sed -i 's/^[#]\{0,1\}auth\t\trequired\tpam_wheel.so use_uid.*/auth\t\trequired\tpam_wheel.so use_uid root_only/' /etc/pam.d/su  && echo -e "\t[32m==>fixed[0m"
fi
add_check_item_total
add_check_item_failed
echo "[1;96m   Checking /etc/pam.d/su done ![0m"
echo ""

#Check /etc/host.conf
echo "[1;96m 12.Checking IP spoof and multi IP binding starting ...[0m"
CHECKERROR=0
value=`grep  "^multi off" /etc/host.conf `
if [ $? != 0 ]; then
        echo -e "\t[31mDisable multi IP binding  is not config !!![0m"
        add_check_item_error
        [ $AUTOFIX -ne 0 ] && sed -i 's/^[#]\{0,1\}multi.*/multi off/g' /etc/host.conf  && echo -e "\t[32m==>fixed[0m"
fi
add_check_item_total
add_check_item_failed
echo "[1;96m   Checking IP spoof and multi IP binding done ![0m"
echo ""

#Check tcp wrappers
echo "[1;96m 13.Checking tcp wrappers starting ...[0m"
CHECKERROR=0
add_check_item_total
add_check_item_failed
echo "[1;96m    Checking tcp wrappers done ![0m"
echo ""


#Check /etc/cron.allow
echo "[1;96m 14.Checking cron security policy starting ...[0m"
CHECKERROR=0
add_check_item_total
add_check_item_failed
echo "[1;96m    Checking cron security policy done ![0m"
echo ""

# Check sshd configure
echo "[1;96m 15.Checking sshd security policies  [0m"
echo "[1m 15.1 Checking sshd Port starting ...[0m"
CHECKERROR=0
value=`grep  "^Port 22" /etc/ssh/sshd_config `
if [ $? != 0 ]; then
        echo -e "\t[31mPort is not explicit config !!![0m"
        add_check_item_error
        [ $AUTOFIX -ne 0 ] && sed -i 's/^[#]\{0,1\}Port.*/Port 22/g' /etc/ssh/sshd_config  && echo -e "\t[32m==>fixed[0m"
fi
add_check_item_total
add_check_item_failed

echo "[1m 15.2 Checking sshd Protocol starting ...[0m"
CHECKERROR=0
value=`grep  "^Protocol 2" /etc/ssh/sshd_config `
if [ $? != 0 ]; then
        echo -e "\t[31mProtocol is not config !!![0m"
        add_check_item_error
        [ $AUTOFIX -ne 0 ] && sed -i '/^Port 22/aProtocol 2'  /etc/ssh/sshd_config  && echo -e "\t[32m==>fixed[0m"
fi
add_check_item_total
add_check_item_failed

echo "[1m 15.3 Checking sshd LogLevel starting ...[0m"
CHECKERROR=0
value=`grep  "^LogLevel INFO" /etc/ssh/sshd_config `
if [ $? != 0 ]; then
        echo -e "\t[31mLogLevel is not config !!![0m"
        add_check_item_error
        [ $AUTOFIX -ne 0 ] && sed -i 's/^[#]\{0,1\}LogLevel.*/LogLevel INFO/' /etc/ssh/sshd_config  && echo -e "\t[32m==>fixed[0m"
fi
add_check_item_total
add_check_item_failed

echo "[1m 15.4 Checking sshd PermitRootLogin starting ...[0m"
CHECKERROR=0
#value=`grep  "^PermitRootLogin no" /etc/ssh/sshd_config `
#if [ $? != 0 ]; then
#        echo -e "\t[31mDisable PermitRootLogin is not config !!![0m"
#        add_check_item_error
#        [ $AUTOFIX -ne 0 ] && sed -i 's/^[#]\{0,1\}PermitRootLogin.*/PermitRootLogin no/' /etc/ssh/sshd_config  && echo -e "\t[32m==>fixed[0m"
#fi
add_check_item_total
add_check_item_failed

echo "[1m 15.5 Checking sshd MaxAuthTries starting ...[0m"
CHECKERROR=0
value=`grep  "^MaxAuthTries 6" /etc/ssh/sshd_config `
if [ $? != 0 ]; then
        echo -e "\t[31mMaxAuthTries is not config !!![0m"
        add_check_item_error
        [ $AUTOFIX -ne 0 ] && sed -i 's/^[#]\{0,1\}MaxAuthTries.*/MaxAuthTries 6/' /etc/ssh/sshd_config  && echo -e "\t[32m==>fixed[0m"
fi
add_check_item_total
add_check_item_failed

echo "[1m 15.6 Checking sshd PermitEmtyPasswords starting ...[0m"
CHECKERROR=0
value=`grep  "^PermitEmptyPasswords no" /etc/ssh/sshd_config `
if [ $? != 0 ]; then
        echo -e "\t[31mNo permitEmptyPasswords  is not config !!![0m"
        add_check_item_error
        [ $AUTOFIX -ne 0 ] && sed -i 's/^[#]\{0,1\}PermitEmptyPasswords.*/PermitEmptyPasswords no/' /etc/ssh/sshd_config  && echo -e "\t[32m==>fixed[0m"
fi
add_check_item_total
add_check_item_failed

echo "[1m 15.7 Checking sshd UseDNS starting ...[0m"
CHECKERROR=0
value=`grep  "^UseDNS no" /etc/ssh/sshd_config `
if [ $? != 0 ]; then
        echo -e "\t[31mDsiable UseDNS  is not config !!![0m"
        add_check_item_error
        [ $AUTOFIX -ne 0 ] && sed -i 's/^[#]\{0,1\}UseDNS.*/UseDNS no/' /etc/ssh/sshd_config  && echo -e "\t[32m==>fixed[0m"
fi
add_check_item_total
add_check_item_failed

echo "[1m 15.8 Checking sshd Banner starting ...[0m"
CHECKERROR=0
value=`grep  "^Banner /etc/issue" /etc/ssh/sshd_config `
if [ $? != 0 ]; then
        echo -e "\t[31mBanner  is not config !!![0m"
        add_check_item_error
        [ $AUTOFIX -ne 0 ] && sed -i "s/^[#]\{0,1\}Banner.*/Banner \/etc\/issue/g"  /etc/ssh/sshd_config  && echo -e "\t[32m==>fixed[0m"
fi
add_check_item_total
add_check_item_failed
echo "[1;96m    Checking sshd security policies done ![0m"
echo ""

# Check vsftp
echo "[1;96m 16.Checking vsftpd security policies  [0m"
if [ -f /etc/vsftpd/vsftpd.conf ]; then
echo "[1m 16.1 Checking disable anonymous ftp login starting ...[0m"
CHECKERROR=0
value=`grep  "^anonymous_enable=NO" /etc/vsftpd/vsftpd.conf `
if [ $? != 0 ]; then
        echo -e "\t[31manonymous user is enable !!![0m"
        add_check_item_error
        [ $AUTOFIX -ne 0 ] && sed -i "s/^[#]\{0,1\}anonymous_enable=.*/anonymous_enable=NO/g"  /etc/vsftpd/vsftpd.conf  && echo -e "\t[32m==>fixed[0m"
fi
add_check_item_total
add_check_item_failed
echo ""

echo "[1m 16.2 Checking disable root ftp login starting ...[0m"
CHECKERROR=0
value=`grep "^root" /etc/vsftpd/ftpusers `
if [ $? != 0 ]; then
        echo -e "\t[31mroot user is enable !!![0m"
        add_check_item_error
        [ $AUTOFIX -ne 0 ] && sed -i "s/^[#]\{0,1\}root/root/g"  /etc/vsftpd/ftpusers   && echo -e "\t[32m==>fixed[0m"
fi
add_check_item_total
add_check_item_failed
echo ""

echo "[1m 16.3 Checking enable vsftpd log starting ...[0m"
CHECKERROR=0
value=`grep "^xferlog_file=\/var\/log\/xferlog" /etc/vsftpd/vsftpd.conf `
if [ $? != 0 ]; then
        echo -e "\t[31mvsftpd logfile is not config !!![0m"
        add_check_item_error
        [ $AUTOFIX -ne 0 ] && sed -i "s/^[#]\{0,1\}xferlog_file.*/xferlog_file=\/var\/log\/xferlog/g"  /etc/vsftpd/vsftpd.conf   && echo -e "\t[32m==>fixed[0m"
fi
add_check_item_total
add_check_item_failed

echo "[1m 16.4 Checking vsftpd banner starting ...[0m"
CHECKERROR=0
value=`grep "^banner_file=/etc/issue" /etc/vsftpd/vsftpd.conf `
if [ $? != 0 ]; then
        echo -e "\t[31mvsftpd banner not config !!![0m"
        add_check_item_error
        [ $AUTOFIX -ne 0 ] && sed -i '$a\banner_file=/etc/issue' /etc/vsftpd/vsftpd.conf   && echo -e "\t[32m==>fixed[0m"
fi
add_check_item_total
add_check_item_failed
fi
echo "[1;96m    Checking vsftpd security policies done ![0m"
echo ""

# Check service is exsit or stopped
echo "[1;96m 17.Checking any forbid services starting ...[0m"
CHECKERROR=0
for service in autofs dnsmasq firewalld rhnsd rhsmcertd  bluetooth cups-browsed cups postfix ModemManager rpcbind rpc-statd nfs-server nfs-idmapd nfs-config nfs-mountd upower gssproxy gdm avahi-daemon dmraid-activation firstboot-graphical iscsid libvirtd mdmonitor microcode qemu-guest-agent spice-vdagentd nfs-client.target zebra ypbind rlogin.socket rsh.socket rexec.socket xinetd
do
value1=`systemctl is-enabled "$service" 2>/dev/null`
value2=`systemctl is-active "$service" 2>/dev/null`
 [ "$value1" == "enabled" ] && echo -e "\t[31mservice :\t$service  \tis\tenabled[0m" && add_check_item_error
 [ "$value1" == "enabled" ] && [ $AUTOFIX -ne 0 ]  && systemctl disable $service 2> /dev/null   && echo -e "\t[32m==>fixed[0m"
 [ "$value2" == "active" ] && echo -e "\t[31mservice :\t$service  \tis\trunning[0m" &&  add_check_item_error
 [ "$value2" == "active" ] && [ $AUTOFIX -ne 0 ]  && systemctl stop $service >/dev/null 2>&1   && echo -e "\t[32m==>fixed[0m"

done
add_check_item_total
add_check_item_failed
echo "[1;96m    Checking any forbid services done ![0m"
echo ""

# Check permission of file or diretory
echo "[1;96m 18.Checking file and diretory security policies  [0m"
echo "[1m 18.1 Checking file/diretory permission starting ...[0m"
CHECKERROR=0
function file_permission_check {
#value=`/bin/ls -ld "$1" 2>/dev/null`
value=`stat -c %A "$1" `
if [ $? -eq 0 ]; then
num=`stat -c %a "$1" `
if [ $num != "$3"  ]; then
    echo -e "\t[31m$1 with incorrect permission :  \t$value[0m"
    add_check_item_error
    [ $AUTOFIX -ne 0 ] && /bin/chmod $3 "$1" && echo -e "\t[32m==>fixed[0m"
fi
else
   echo -e "\tError occur when ls $1"
fi
}

file_permission_check /tmp "drwxrwxrwt" 1777
file_permission_check /var/tmp "drwxrwxrwt" 1777
file_permission_check /etc/passwd "-rw-r--r--" 644
file_permission_check /etc/group "-rw-r--r--" 644
file_permission_check /etc/shadow "-r--------" 400
file_permission_check /etc/gshadow "-r--------" 400
file_permission_check /etc/hosts "-rw-r--r--" 644
file_permission_check /etc/crontab  "-rw-------" 600
file_permission_check /etc/securetty "-r--------" 400
file_permission_check /boot/grub2/grub.cfg "-rw-------" 600
file_permission_check /etc/login.defs "-rw-r-----" 640
file_permission_check /etc/profile "-rw-r--r--" 644
file_permission_check /etc/bashrc "-rw-r--r--" 644
file_permission_check /etc/hosts.allow "-rw-------" 600
file_permission_check /etc/hosts.deny "-rw-------" 600
#file_permission_check /etc/exports "-rw-------" 600
file_permission_check /etc/crontab "-rw-------" 600
file_permission_check /etc/cron.deny "-r--------" 400
file_permission_check /etc/cron.daily "-r--------" 400
file_permission_check /etc/cron.d "-r--------" 400
file_permission_check /etc/cron.hourly "-r--------" 400
file_permission_check /etc/cron.monthly "-r--------" 400
file_permission_check /etc/cron.weekly "-r--------" 400
file_permission_check /bin/rpm "-rwx------" 700
file_permission_check /etc/ssh "-rwxr-x---" 750
file_permission_check /etc/sysctl.conf "-r--------" 400
file_permission_check /etc/rsyslog.conf "-rw-rw----" 640
file_permission_check /etc/pam.d "-rwxr-x---" 750
#file_permission_check /var/log/wtmp "-rw-rw----" 660
file_permission_check /var/log/lastlog "-rw-r-----" 640
file_permission_check /var/log/messages "-rw-r--r--" 644
file_permission_check /etc/rc.d/rc0.d "-rwxr-x---" 750
file_permission_check /etc/rc.d/rc1.d "-rwxr-x---" 750
file_permission_check /etc/rc.d/rc2.d "-rwxr-x---" 750
file_permission_check /etc/rc.d/rc3.d "-rwxr-x---" 750
file_permission_check /etc/rc.d/rc4.d "-rwxr-x---" 750
file_permission_check /etc/rc.d/rc5.d "-rwxr-x---" 750
file_permission_check /etc/rc.d/rc6.d "-rwxr-x---" 750
file_permission_check /etc/rc.d/init.d/ "-rwxr-x---" 750
add_check_item_total
add_check_item_failed

#Check owner of file or diretory
echo "[1m 18.2 Checking file/diretory owner starting ...[0m"
CHECKERROR=0
function file_owner_check {
value=`/bin/ls -ld "$1" 2>/dev/null`
if [ $? -eq 0 ]; then
value=`echo $value | gawk '{print $3":"$4}'`
if [ "$value" != "$2" ]; then
     echo -e "\t[31m$1 have incorrect owner : \t$value [0m"
     add_check_item_error
     [ $AUTOFIX -ne 0 ] && /bin/chown $2 $1 && echo -e "\t\t[32m==>fixed[0m"
fi
else
     echo -e "\tError occur when ls $1"
fi
}
file_owner_check /tmp "root:root"
file_owner_check /var/tmp "root:root"
file_owner_check /etc/passwd "root:root"
file_owner_check /etc/group "root:root"
file_owner_check /etc/shadow "root:root"
file_owner_check /etc/gshadow "root:root"
file_owner_check /etc/hosts "root:root"
file_owner_check /etc/sysctl.conf "root:root"
file_owner_check /etc/crontab "root:root"
file_owner_check /etc/securetty "root:root"
file_owner_check /boot/grub2/grub.cfg "root:root"
file_owner_check /etc/login.defs "root:root"
file_owner_check /etc/profile "root:root"
file_owner_check /etc/bashrc "root:root"
add_check_item_total
add_check_item_failed
echo "[1;96m    Checking file and diretory security policies done ![0m"
echo ""


# Check kernel parameters
function check_sysctl {
value=`sysctl -n "$1"`
if [ $value -ne $2 ]; then
        echo -e "\t[31mKernel parameter : $1 with incorrect value : \t$value[0m"
        add_check_item_error
        if [ $AUTOFIX -ne 0 ]; then
                echo -e "\t\tChange kernel parameter in /proc"
                /sbin/sysctl -q -w $1=$2
                echo -e "\t\t[32m==>fixed[0m"
                echo -e "\t\tChange kernel parameter in /etc/sysctl.conf"
                grep -q "$1" /etc/sysctl.conf
                if [ $? -eq 0 ]; then
                        sed -ri "/$1/c "$1" = $2"       /etc/sysctl.conf
                else
                        echo "$1 = $2 " >> /etc/sysctl.conf
                fi
                echo -e "\t\t[32m==>fixed[0m"
               # echo "Please check with sysctl -a | grep $1 and /etc/sysctl.conf to confirm"
        fi
fi
}
echo "[1;96m 19.Checking kernel parameters starting ...[0m"
CHECKERROR=0
check_sysctl net.ipv4.tcp_syncookies  1
check_sysctl net.ipv4.conf.all.rp_filter 1
check_sysctl net.ipv4.conf.default.rp_filter 1
check_sysctl net.ipv4.conf.all.accept_source_route 0
check_sysctl net.ipv4.conf.all.forwarding 0
check_sysctl net.ipv4.conf.all.mc_forwarding 0
check_sysctl net.ipv4.conf.all.accept_redirects 0
check_sysctl net.ipv4.conf.all.secure_redirects 0
check_sysctl net.ipv4.conf.all.send_redirects 0
check_sysctl net.ipv4.ip_forward 0
check_sysctl net.ipv4.ip_no_pmtu_disc 1
check_sysctl net.ipv4.icmp_echo_ignore_broadcasts 1
add_check_item_total
add_check_item_failed
echo "[1;96m    Checking kernel parameters done ![0m"
echo ""

#Check scp 
echo "[1;96m 20.Checking scp command disable starting ...[0m"
CHECKERROR=0
path_value=`whereis scp |awk '{print $2}'`
if [ -n $path_value ]; then
perm_value=`stat -c %A "$path_value" |grep x  2>/dev/null ` 
if [ $? == 0  ]; then
    echo -e "\t[31mscp disable is not config，it's permission :  \t$perm_value[0m"
    add_check_item_error
    [ $AUTOFIX -ne 0 ] && /bin/chmod a-x  "$path_value" && echo -e "\t[32m==>fixed[0m"
fi
else
   echo -e "\tError occur when whereis scp"
fi
add_check_item_total
add_check_item_failed
echo "[1;96m    Checking scp command disable  done ![0m"
echo ""


#Check selinux
echo "[1;96m 21.Checking selinux configuration starting ...[0m"
CHECKERROR=0
value=`gawk -F'=' '/^SELINUX=/{print $2}' /etc/selinux/config`
if [ "$value" != "disabled" ]; then
        echo -e "\t[31mSystem selinux is $value !!![0m"
        add_check_item_error
        [ $AUTOFIX -ne 0 ] &&  sed -i 's/SELINUX=enforcing/SELINUX=disabled/' /etc/selinux/config && echo -e "\t[32m==>fixed[0m"
fi
add_check_item_total
add_check_item_failed
echo "[1;96m    Checking selinux configuration done ![0m"
echo ""


#Check chronyd
echo "[1;96m 22.Checking chrony configuration starting ...[0m"
#CHECKERROR=0
#function chronyd_check {
#value=`grep $1 /etc/chrony.conf`
#if [  $? != 0 ]; then
#     echo -e "\t[31mNTP Server $1 : is not config !!![0m"
#     add_check_item_error
#     [ $AUTOFIX -ne 0 ] && echo "server $1 iburst" >> /etc/chrony.conf && echo -e "\t\t[32m==>fixed[0m"
#fi
#}
#chronyd_check 154.233.33.99 
#chronyd_check 177.222.3.99
#chronyd_check 154.211.33.141
#chronyd_check 177.225.1.141

#if [ $AUTOFIX -ne 0 ]; then
#	sed -i 's/0.centos.pool.ntp.org/154.233.33.99/' /etc/chrony.conf
#	sed -i 's/1.centos.pool.ntp.org/177.222.3.99/' /etc/chrony.conf
#	sed -i 's/2.centos.pool.ntp.org/154.211.33.141/' /etc/chrony.conf
#	sed -i 's/3.centos.pool.ntp.org/177.225.1.141/' /etc/chrony.conf
#
#	systemctl enable chronyd.service
#	systemctl restart chronyd.service
#fi


#add_check_item_total
#add_check_item_failed
echo "[1;96m    Checking chrony configuration done ![0m"
echo ""

#Check rsyslog and logrotate 
echo "[1;96m 23.Checking rsyslog configuration starting ...[0m"
echo "[1m 23.1 Checking default logrotate starting ...[0m"
CHECKERROR=0
value=`gawk '/^rotate/{print $2}' /etc/logrotate.conf`
if [ "$value" != "24" ]; then
        echo -e "\t[31mSystem log rotate is $value !!![0m"
        add_check_item_error
        [ $AUTOFIX -ne 0 ] &&  sed -i "s/rotate 4/rotate 24/" /etc/logrotate.conf && echo -e "\t[32m==>fixed[0m"
fi
add_check_item_total
add_check_item_failed

echo "[1m 23.2 Checking kern log starting ...[0m"
CHECKERROR=0
value=`grep '^kern.\*' /etc/rsyslog.conf`
if [ -z "$value"  ]; then
        echo -e "\t[31mRsyslog kern.* is not config !!![0m"
        add_check_item_error
        [ $AUTOFIX -ne 0 ] &&  sed -i "s/^[#]\{0,1\}kern/kern/g" /etc/rsyslog.conf && echo -e "\t[32m==>fixed[0m"
fi
add_check_item_total
add_check_item_failed

echo "[1m 23.3 Checking news log starting ...[0m"
CHECKERROR=0
value=`grep '^news.crit' /etc/rsyslog.conf`
if [ -z "$value"  ]; then
        echo -e "\t[31mRsyslog news.crit is not config !!![0m"
        add_check_item_error
        [ $AUTOFIX -ne 0 ] &&  sed -i '$a\news.crit /var/log/news/news.crit' /etc/rsyslog.conf && echo -e "\t[32m==>fixed[0m"
fi
value=`grep '^news.err' /etc/rsyslog.conf`
if [ -z "$value"  ]; then
        echo -e "\t[31mRsyslog news.err is not config !!![0m"
        add_check_item_error
        [ $AUTOFIX -ne 0 ] &&  sed -i '$a\news.err /var/log/news/news.err' /etc/rsyslog.conf && echo -e "\t[32m==>fixed[0m"
fi
value=`grep '^news.notice' /etc/rsyslog.conf`
if [ -z "$value"  ]; then
        echo -e "\t[31mRsyslog news.notice is not config !!![0m"
        add_check_item_error
        [ $AUTOFIX -ne 0 ] &&  sed -i '$a\news.notice /var/log/news/news.notice' /etc/rsyslog.conf && echo -e "\t[32m==>fixed[0m"
fi

if [ ! -f /etc/logrotate.d/news ]; then
        echo -e "\t[31mLogrotate news log is not config  !!![0m"
        add_check_item_error
        if [ $AUTOFIX -ne 0 ]; then
                cat << EOF > /etc/logrotate.d/news
/var/log/news/news.crit
/var/log/news/news.err
/var/log/news/news.notice
{
    missingok
    monthly
    rotate 12
    create 0600 root root
}
EOF
            echo -e "\t[32m==>fixed[0m"
        fi    
fi
add_check_item_total
add_check_item_failed

echo "[1m 23.4 Checking /var/adm/messages file starting ...[0m"
CHECKERROR=0
value=`grep '*.err;kern.debug;daemon.notice /var/adm/messages' /etc/rsyslog.conf`
if [ -z "$value"  ]; then
        echo -e "\t[31mRsyslog /var/adm/messages is not config !!![0m"
        add_check_item_error
        [ $AUTOFIX -ne 0 ] &&  sed -i '$a\*.err;kern.debug;daemon.notice /var/adm/messages' /etc/rsyslog.conf && mkdir -p /var/adm && echo -e "\t[32m==>fixed[0m"
fi
if [ ! -f /etc/logrotate.d/adm ]; then
        echo -e "\t[31mLogrotate adm log is not config  !!![0m"
        add_check_item_error
        if [ $AUTOFIX -ne 0 ]; then
                cat << EOF > /etc/logrotate.d/adm
/var/adm/messages {
     missingok
     monthly
     rotate 12
     create 0666 root root
}
EOF
            echo -e "\t[32m==>fixed[0m"
        fi    
fi

add_check_item_total
add_check_item_failed

echo "[1m 23.5 Checking remote rsyslog starting ...[0m"
CHECKERROR=0
value=`grep '^*.* @154.233.40.200' /etc/rsyslog.conf`
if [ -z "$value"  ]; then
        echo -e "\t[31mRsyslog to 154.233.40.200 is not config !!![0m"
        add_check_item_error
        [ $AUTOFIX -ne 0 ] &&  sed -i '$a\*.* @154.233.40.200' /etc/rsyslog.conf && echo -e "\t[32m==>fixed[0m"
fi
value=`grep '^*.* @177.222.11.200' /etc/rsyslog.conf`
if [ -z "$value"  ]; then
        echo -e "\t[31mRsyslog to 177.222.11.200 is not config !!![0m"
        add_check_item_error
        [ $AUTOFIX -ne 0 ] &&  sed -i '$a\*.* @177.222.11.200' /etc/rsyslog.conf && echo -e "\t[32m==>fixed[0m"
fi
add_check_item_total
add_check_item_failed
echo "[1;96m    Checking rsyslog configuration done ![0m"
echo ""


#Check audit rules
echo "[1;96m 24.Checking audit configuration [0m"
echo "[1m 24.1 Checking audit rules starting ...[0m"
CHECKERROR=0
value=`grep '/etc/passwd' /etc/audit/rules.d/audit.rules`
if [ $? != 0 ]; then
        echo -e "\t[31mAudit rules is not config  !!![0m"
        add_check_item_error
        if [ $AUTOFIX -ne 0 ]; then
                cat << EOF >> /etc/audit/rules.d/audit.rules
-a exit,always -F arch=b64 -S execve -k exec
-a exit,always -F arch=b32 -S execve -k exec

-w /etc/crontab -p wa -k crontab
-w /etc/hosts -p wa -k hosts
-w /etc/hosts.allow -p wa -k hosts-allow
-w /etc/hosts.deny -p wa -k hosts-deny
-w /etc/fstab -p wa -k fstab
-w /etc/passwd -p wa -k passwd
-w /etc/shadow -p wa -k shadow
-w /etc/group -p wa -k group
-w /etc/gshadow -p wa -k gshadow
-w /etc/chrony.conf -p wa -k ntp
-w /etc/sysctl.conf -p wa -k sysctl
-w /etc/security/limits.conf -p wa -k limits
-w /boot/grub2/grub.cfg -p wa -k grub
-w /etc/ssh/sshd_config -p wa -k ssh
-w /etc/udev/rules.d/ -p wa -k udev
-w /etc/profile -p wa -k profile
-w /etc/kdump.conf -p wa -k kdump
-w /etc/lvm/lvm.conf -p wa -k lvm
-w /etc/login.defs -p wa -k login-defs
-w /etc/rsyslog.conf -p wa -k rsyslog
-w /etc/locale.conf  -p wa -k i18n
-w /etc/sysconfig/network -p wa -k network
-w /etc/multipath.conf -p wa -k multipath
EOF
            echo -e "\t[32m==>fixed[0m"
        fi
fi
add_check_item_total
add_check_item_failed

echo "[1m 24.2 Checking auditd.conf starting ...[0m"
CHECKERROR=0
value=`gawk '/^ *num_logs/{print $3}' /etc/audit/auditd.conf`
if [ $value -lt 4 ]; then
        echo -e "\t[31mnum_logs is not 4 !!![0m"
        add_check_item_error
        [ $AUTOFIX -ne 0 ] && sed -i "s/^[#]\{0,1\}num_logs.*/num_logs = 4/g" /etc/audit/auditd.conf && echo -e "\t[32m==>fixed[0m"
fi

value=`gawk '/^ *max_log_file.=/{print $3}' /etc/audit/auditd.conf`
if [ $value -lt 50 ]; then
        echo -e "\t[31mmax_log_file is not 50 !!![0m"
        add_check_item_error
        [ $AUTOFIX -ne 0 ] && sed -i "s/^[#]\{0,1\}max_log_file =.*/max_log_file = 50/g" /etc/audit/auditd.conf && echo -e "\t[32m==>fixed[0m"
fi

value=`gawk '/^ *flush/{print $3}' /etc/audit/auditd.conf`
if [ "$value" != "NONE" ]; then
        echo -e "\t[31mflush is not NONE !!![0m"
        add_check_item_error
        [ $AUTOFIX -ne 0 ] && sed -i "s/^[#]\{0,1\}flush.*/flush = NONE/g" /etc/audit/auditd.conf && echo -e "\t[32m==>fixed[0m"
fi
add_check_item_total
add_check_item_failed
echo "[1;96m    Checking audit configuration done ![0m"
echo ""

#Check limit
echo "[1;96m 25.Checking ulimit configuration ...[0m"
echo "[1m 25.1 Checking 20-nproc.conf file starting ...[0m"
CHECKERROR=0
if [ -f  /etc/security/limits.d/20-nproc.conf ]; then
        echo -e "\t[31m20-nproc.conf file is not delete !!![0m"
        add_check_item_error
        [ $AUTOFIX -ne 0 ] && rm -f /etc/security/limits.d/20-nproc.conf  && echo -e "\t[32m==>fixed[0m"
fi
add_check_item_total
add_check_item_failed

echo "[1m 25.2 Checking limits.conf file starting ...[0m"
CHECKERROR=0
value=`gawk '/^*.*hard.*.core/{print $4}' /etc/security/limits.conf`
if [ -z $value ]; then
        echo -e "\t[31mlimit core is not 0 !!![0m"
        add_check_item_error
        [ $AUTOFIX -ne 0 ] && sed -i 's/# End of file/\*               soft    core  0\n\*               hard    core  0\n# End of file/' /etc/security/limits.conf && echo -e "\t[32m==>fixed[0m"
fi

value=`gawk '/^*.*hard.*.nofile/{print $4}' /etc/security/limits.conf`
if [ -z $value ]; then
        echo -e "\t[31mlimit nofile is not 65535 !!![0m"
        add_check_item_error
        [ $AUTOFIX -ne 0 ] && sed -i 's/# End of file/\*               soft    nofile  65535\n\*               hard    nofile  65535\n# End of file/' /etc/security/limits.conf && echo -e "\t[32m==>fixed[0m"
fi

value=`gawk '/^*.*hard.*.nproc/{print $4}' /etc/security/limits.conf`
if [ -z $value ]; then
        echo -e "\t[31mlimit nproc is not 65535 !!![0m"
        add_check_item_error
        [ $AUTOFIX -ne 0 ] && sed -i 's/# End of file/\*               soft    nproc  65535\n\*               hard    nproc  65535\n# End of file/' /etc/security/limits.conf && echo -e "\t[32m==>fixed[0m"
fi

add_check_item_total
add_check_item_failed
echo "[1;96m    Checking ulimit configuration done ![0m"
echo ""

#Check crontab MAILTO
echo "[1;96m 26.Checking crontab MAILTO starting ...[0m"
CHECKERROR=0
value=`gawk -F'=' '/^MAILTO=/{print $2}' /etc/crontab`
if [ "$value" == "root" ]; then
        echo -e "\t[31mCrontab MAILTO is not disable !!![0m"
        add_check_item_error
        [ $AUTOFIX -ne 0 ] &&  sed -i 's/^MAILTO=.*/MAILTO=""/g' /etc/crontab && echo -e "\t[32m==>fixed[0m"
fi
add_check_item_total
add_check_item_failed
echo "[1;96m    Checking crontab MAILTO done ![0m"
echo ""

#Check /etc/aliases configure
echo "[1;96m 27.Checking /etc/aliases starting ...[0m"
CHECKERROR=0
function check_aliases {
value=`grep "^$1" /etc/aliases `
if [ ! -z "$value" ]; then
     echo -e "\t[31m/etc/aliases $1 is not disable!!! [0m"
     add_check_item_error
     [ $AUTOFIX -ne 0 ] && sed -i -r "s/^$1(.*)/#$1\1/" /etc/aliases && /usr/bin/newaliases &&echo -e "\t\t[32m==>fixed[0m"
fi
}
check_aliases game
check_aliases ingres
check_aliases system
check_aliases toor
check_aliases uucp
check_aliases manager
check_aliases dumper
check_aliases operator
check_aliases decode
check_aliases root

add_check_item_total
add_check_item_failed
echo "[1;96m    Checking /etc/aliases done ![0m"
echo ""



#重启sshd服务 且 添加rc.local可执行权限
if [ $AUTOFIX -ne 0 ]; then
	systemctl restart sshd
	chmod 755 /etc/rc.d/rc.local
fi

res="[1;32mTotal checked item : [$CHECKTOTAL], Failed item : [$CHECKFAILED] [0m" 
echo $res

echo "系统加固完成后建议重启操作系统!!!"
if [ $AUTOFIX -ne 0 -a $opensshflag -eq 1 ]; then
	reboot
fi


